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I.  INTRODUCTION 


A  conventional  explosive  train  consists  of  a  fuze,  detonator,  safe/arming* 
(s/a)  mechanism,  booster,  and  warhead.  The  s/a  mechanism  is  interposed  between 
the  detonator  and  booster  to  protect  the  main  explosive  charge  from  accidental 
detonation  of  the  sensitive  primary  explosive  in  the  detonator  (see  Figure  1). 
Historically,  the  approach  used  in  s/a  devices  has  been  the  "out-of-line" 
method.  The  detonator  is  separated  from  the  booster  by  one  or  more  physical 
barriers.  Accidental  detonation  of  the  detonator  cannot  penetrate  the  bar- 
rier(s)  and  so  will  not  cause  detonation  of  the  warhead. 

Although  this  method  is  simple  and  direct,  some  deficiencies  have  long 
been  noted,  including  quality  assurance  problems,  insufficient  reliability, 
and  vulnerability  to  environmental  degradation.  To  combat  these  deficiencies, 
alternative  safing  methods,  so-called  "in-line"  devices,  have  been  proposed 
to  eliminate  the  out-of-line  mechanisms  in  conventional  weapons.  Proposed 
devices  can  be  partitioned  into  two  categories:  high-power  devices  and  low- 
power  devices. 

In  the  high-power  method  the  primary  explosive  detonator  is  replaced  with 
one  that  has  no  primary  explosive  at  all.  Instead,  the  system  uses  a  very 
high-power  electrical  supply  capable  of  detonating  booster  explosive  directly. 
The  detonator  can  thus  be  placed  in  direct  line  with  the  main  charge.  The 
safe/arm  function  is  not  eliminated,  since  the  high- power  electrical  supply 
must  be  isolated  from  the  warhead  by  an  electrical  s/a  device  (see  Figure  2) . 
The  high-power  approach  requires  cost  and  volume  allocations  which  may  not  be 
available. 

The  low-power  method  uses  a  set  of  detonators  which  contain  primary 
explosive.  When  the  fuze  makes  the  decision  to  detonate  the  warhead,  it 
generates  an  electrical  code.  The  code  is  sent  to  the  set  of  detonators 
which  converts  the  electrical  code  into  a  set  of  (perhaps  sequenced)  detona¬ 
tions.  The  s/a  device  then  examines  the  coded  set  of  detonations  and  deter¬ 
mines  if  the  code  is  valid.  If  so,  the  warhead  is  detonated.  If  not,  the 
system  duds  (see  Figure  3) . 

Although  it  is  currently  in  a  more  advanced  stage  of  development,  the 
high-power  method  follows  the  general  approach  used  in  nuclear  devices  where 
safety  and  reliability  are  important,  but  cost  and  volume  limitations 
are  not  as  severe  as  they  are  in  conventional  weapons.  This  report  will 
discuss  only  the  safety/reliability  requirements  of  low  power  s/a  devices, 
but  some  of  the  discussion  is  relevant  to  analysis  of  s/a  mechanisms  in 
general . 


* 


Safe/arming, 


safe/arm,  and  s/a  are  used  interchangeably  in  this  report. 
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II.  OBJECTIVES 


The  work  reported  here  was  undertaken  in  support  of  the  Explosive  Logic 
Technology  project  at  the  Ballistic  Research  Laboratory  (BRL) .  Its  purpose 
was  to  quantitatively  define  the  requirements,  limitations,  and  utility  of 
applying  explosive  logic  to  the  design  of  in-line  safe/arming  systems.  Of 
particular  interest  was  the  analysis  of  those  in-line  safe/arm  devices  currently 
being  investigated  at  BRL  and  other  laboratories. 


III.  GENERALIZING  THE  SAFE/ARMING  PROCESS 

When  we  examine  Figures  1-3,  it  becomes  clear  that  the  traditional  safe/ 
arm  mechanism  -  a  mechanical  barrier  between  detonator  and  warhead  -  must  be 
generalized  to  include  the  new  kinds  of  systems.  The  environment  acts  as  a 
source  of  information.  The  fuze  interprets  this  information.  When  the  fuze 
determines  that  the  information  it  has  received  warrants  action,  it  sends  com¬ 
mands  to  the  s/a  device.  The  safe/arm  device  must  examine  these  commands  to 
make  sure  that  they  come  from  a  legitimate  fuze  decision  rather  than  from 
some  stray  environmental  signal.  From  this  viewpoint,  we  can  state  a  general 
definition  of  the  safe/arming  process. 

THE  SAFE/ARMING  PROCESS  IS  ONE  OF  VALIDATING 
A  FUZE  ORDER  TO  DETONATE  THE  WARHEAD. 

The  power  of  this  simple  generalization  becomes  apparent  when  we  examine 
just  how  the  s/a  device  goes  about  conducting  its  validation.  The  s/a  device 
decision  is  a  conceptually  simple  one  -  either  the  fuze  ordered  an  action  or 
it  did  not.  However,  when  we  impose  stringent  reliability  and  safety  re¬ 
quirements  on  the  results  of  the  s/a  device  decision,  then  the  validation 
process  becomes  difficult.  The  complexities  added  by  safety  and  reliability 
criteria  are  illustrated  in  Figure  4,  which  shows  the  interpretation  of  the 
s/a  device  decision  as  a  statistical  process:  If  the  s/a  device  accepts  the 
Hq  hypothesis  (fuze  order  is  correct),  then  it  risks  an  error  of  the  second 

kind  -  that  the  fuze  order  was  not  actually  correct.  Since  the  whole  purpose 
of  the  s/a  device  is  to  avoid  this  kind  of  mistake,  the  standards  for  safety 
(error  of  the  second  kind)  are  high: 

THERE  SHOULD  BE  NO  MORE  THAN  ONE 
CHANCE  IN  ONE  MILLION  THAT  THE 
S/A  METHOD  WILL  DETONATE  THE  WARHEAD  ON  A  FALSE  SIGNAL. 

If  the  s/a  device  tries  to  meet  its  safety  requirements  by  rejecting  Hq, 
then  it  is  accepting  the  alternate  hypothesis  (that  the  code  is  invalid),  Hj. 
Accepting  Hj  when,  in  fact,  the  code  WAS  valid  is  an  error  of  the  first 
kind  -  the  reliability  problem.  Reliability  standards  are  less  well  defined 
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than  safety  standards  for  s/a  devices,  but  we  can  develop  one  of  our  own  by 
noting  that  users  are  unlikely  to  want  a  complicated  s/a  method  that  is  less 
reliable  than  a  simple  one.  Although  compromises  with  this  rule  on  reliability 
are  often  forced  upon  designers,  it  is  a  useful  guide.  To  state  this  formally: 

THE  DETONATOR  RELIABILITY  OF  ANY  S/A  SYSTEM 
SHOULD  BE  AS  HIGH  AS  THE  DETONATOR 
RELIABILITY  OF  A  SINGLE  DETONATOR  SYSTEM. 

Using  the  generalized  concept  that  the  s/a  process  is  a  validation  step 
between  fuze  and  warhead,  the  systems  of  Figures  1-3  can  be  combined  into  the 
conceptual  organization  shown  in  Figure  5.  Here  the  explosive  train  is  viewed 
as  a  mathematical  system.  The  fuze,  whose  function  is  to  gather  and  interpret 
environmental  information  and  make  the  detonation  decision,  represents  the 
input  code  (or  object  language)  which  is  validated  by  the  s/a  device. 

The  input  code  is  transformed  into  a  set  of  binary  variables  at  the  be- 
ginni  g  of  the  s/a  step  -  whether  this  step  is  called  part  of  the  fuze  or  part 
of  the  s/a  process  is  arbitrary.  Even  if  the  input  quantities  are  measurable 
variables,  such  as  set  back  force  or  spin  rate,  thresholds  are  introduced  to 
make  the  quantities  binary.  This  is  necessary  in  any  type  of  s/a  process 
because  of  the  yes/no  decision  that  the  s/a  device  has  to  make. 

The  safe/arming  step  (syntax  language)  consists  of  manipulating  the  input 
code  in  order  to  determine  if  the  object  language  constitutes  a  valid  fuze 
order.  In  effect,  the  s/a  process  proves  a  "theorem"  by  detonating  the  war¬ 
head  or  proves  a  "contradiction"  by  going  dud.  In  order  for  any  safe/arm 
device  to  perform  its  mission  to  the  levels  of  safety  and  reliability  required, 
it  is  clear  that  the  input  code  must  contain  enough  information  for  the  de¬ 
cision  to  be  made.  We  can  state  this  as  a  formal  conclusion: 

EVEN  IF  THE  S/A  "HARDWARE"  WORKS  PERFECTLY, 

IT  CANNOT  EXCEED  THE  LIMITATIONS  OF  THE  OBJECT  LANGUAGE. 

THE  INPUT  CODE  MUST 

CONTAIN  SUFFICIENT  INFORMATION  TO  MEET 
BOTH  SAFETY  AND  RELIABILITY  REQUIREMENTS. 


10 


IV.  A  MATHEMATICAL  APPROACH  TO  SAFE/ARMING  ANALYSIS 


A.  S/A  Reliability 


As  we  saw  in  the  previous  section,  analysis  of  the  s/a  process  has  to 
begin  with  the  analysis  of  a  code  of  sequenced  binary  pulses.  If  the  binary 
code  sources  are  detonators,  then  the  reliability  criterion  requires  that  the 
system  detonator  reliability  must  equal  or  exceed  the  reliability  of  a  single 
detonator.  This  immediately  excludes  any  system  of  N  detonators  in  series 
(N  >  1)  where  all  N  must  function,  since  the  reliability  of  N  detonators  is 
less  than  a  single  one.  We  can  use  the  same  criterion  to  examine  the  relia¬ 
bility  of  other  systems,  such  as  [(N-l)/N]  where  all  but  one  must  function, 
or  [(N-2) /N]  where  all  but  two  must  function,  etc.  The  easiest  way  to  do 
this  is  to  use  the  binomial  expression 

R((N— k)/N]  -  £  (  5  )  rN-(l-rj^r  (1) 

s-O 


where  R[(N-k)/N]  is  the  reliability  of  an  [(N-k)/N]  system,  and  r  is  the 
reliability  of  a  single  detonator.  If  the  first  few  terms  of  Equation  (1)  are 
written  explicitly,  we  obtain 

r[H/n]  -  r"  +  Nr-'|l— r)  +  %lU=(,-r)=+... 


Each  type  of  s/a  process,  which  we  will  call  a  class,  requires  a  different 
number  of  terms  of  the  binomial  expansion  shown  in  Equation  (2).  Thus  the 

[N/N]  class  requires  only  the  first  term 
[(N-l)/N]  class  requires  the  first  two  terms 
t(N-2)/N]  class  requires  the  first  three  terms,  etc. 

Each  class  has  its  own  reliability  equation  of  the  form 


f(r)>r. 


At  the  point  where  f(r)  just  equals  r  we  can  write 


The  reliability  equations  for  the  first  three  classes  can  then  be  written 


N/N:  rN  — r  -  0 

(N-D/N:  rN  -f  NrN-I(l— r)— r—0 

(N— 2)/N:  rN  +  NrNH(l  -r)  +  Nf  }  rN~2(l— r)2  -r  =  0  . 


(5a) 

(5b) 

(5c) 


Figure  6  shows  the  behavior  of  these  polynomial  functions  for  different  values 
of  r. 


Although  detonators  with  reliability  of  .9999  have  been  built,  relia¬ 
bility  is  a  function  of  cost.  If  a  practical  limit  for  detonator  electrical 
reliability  is  .99,  then  the  limiting  number  of  detonators  in  a  [(N-l)/N] 
class  system  is  15.  In  other  words,  if  we  can't  expect  the  detonator  to  be 
more  than  99%  reliable,  then  any  [(N-l)/N]  system  with  more  than  15  detonators 
will  not  meet  the  reliability  standard.  The  upper  limit  for  a  [(N-2)/N]  sys¬ 
tem  is  44.  These  values  were  calculated  directly  from  Equations  (5b)  and 
(5c).  The  task  is  to  try  to  meet  the  safety  requirement  within  the  limits 
set  by  reliability  needs. 

B.  S/A  Safety 

System  safety  is  more  complicated  to  analyze.  Since  the  purpose  of  a 
s/a  device  is  to  protect  against  an  accidental  explosive  event,  it  is  not 
sufficient  to  assume  a  random  (unbiased)  environment.  For  any  s/a  system  we 
can  write 


p 

System  Eventj 

T  P 

Fail 

See 

X  P 

See 

ALL 

Stress 

Stress 

Stress 

STRESS 


where  P  (See  Stress)  is  the  probability  that  the  system  is  subjected  to  such 
stress  and  P  (Fail  Stress)  is  the  probability  that  the  system  fails  under  such 
a  stress.  A  system  event  occurs  when  the  safe/arm  device  directs  the  warhead 
to  explode.  This  equation  defines  the  necessary  and  sufficient  conditions  for 
s/a  safety.  Unfortunately,  it  is  rarely  possible  to  know  any  of  the  terms  in 
Equation  (6).  In  order  to  simplify  the  equation,  suppose  we  assume  that  the 
system  will  always  see  the  worst  possible  stress.  Then  we  can  write 


System 

P 

[  System  Fails 

Event  j 

|  Worst  Stress 

This  is  much  stronger  than  the  necessary  and  sufficient  condition,  but  it  does 
achieve  simplification  of  the  unknown  terms.  For  a  specified  system  we  can 
try  to  determine  how  the  application  of  the  worst  possible  conditions  will  af¬ 
fect  the  performance  of  the  s/a  device.  Since  the  stress  will  be  applied 
through  the  individual  detonators,  each  of  which  must  perform  correctly,  we  can 
write 


System  Event 

<  s 

P 

Individual  Det.  Fails 

Under  Worst  Stress 

CICT6 

9 


(8) 


where  S  is  a  strategy  function  determined  by  the  structure  of  the  system. 

This  is  clearly  a  worst-case  assumption,  and  one  might  legitimately  argue 
that  it  is  too  severe.  The  issue  ultimately  devolves  into  an  explicit  ques¬ 
tion:  Do  we  design  for  the  worst  possible  situation  ar  for  something  less? 

The  answer  to  the  question  is  beyond  the  scope  of  this  report. 

If  the  value  of  S  can  be  held  below  the  safety  criterion  (one  failure/ 
million  trials),  then  we  are  assured  that  the  s/a  system  will  meet  the  safety 
criterion  AS  FAR  AS  DETONATOR  SAFETY  IS  CONCERNED.  The  capitalization  is  used 
to  emphasize  that  design  weaknesses  that  permit  environmental  stress  to 
"sneak  around"  the  s/a  device  logic  and  detonate  the  warhead  are  a  separate 
problem.  This  analysis  only  examines  detonator  strategies. 

V.  ENVIRONMENTAL  STRESS 

In  the  preceding  section,  we  developed  an  approach  to  s/a  device  analy¬ 
sis  which  assumed  that  the  worst  possible  environmental  conditions  will  be 
experienced  by  a  s/a  device.  The  approach  requires  stipulation  of  two  param¬ 
eters:  the  stress  imposed  by  the  environment  and  the  system  response  to 

that  stress. 

A.  Partitioning  Environments  by  Range  of  Application 


Environmental  stresses  can  be  characterized  by  their  range  of  application. 
If  a  stress  can  "reach  in"  and  exercise  an  individual  detonator,  or  proper 
subset  of  detonators,  then  we  shall  call  it  "Local."  If  a  stress  must  be 
applied  more-or-less  simultaneously  and  equally  to  all  the  detonators  (sys¬ 
tem  as  a  whole),  then  we  will  call  it  "Global." 

B.  Partitioning  Environments  by  Intelligence 


Environmental  stresses  can  also  be  characterized  by  whether  or  not  they 
are  "planned."  If  a  stress  is  deliberately  applied  in  intensity  and  timing, 
then  we  will  call  it  "Intelligent."  If  its  intensity  and  timing  are  purely 
by  chance,  then  it  is  "Random.” 
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Applying  both  kinds  of  partitions  simultaneously,  we  obtain  the  following 
categories : 

Intelligent  Local  Environments 

An  intelligent  environment  "knows  our  code."  If  a  set  of  stresses  is 
applied  with  both  intelligence  and  control  (.local  environment),  then  no  code¬ 
based  system  is  able  to  withstand  such  an  attack.  One  must  abandon  at  the 
outset  any  hope  of  defeating  an  intelligent  local  environment. 

Random  Local  Environments 


If  a  local  environment  is  random  rather  than  intelligent,  then  the  prob¬ 
lem  of  defeating  the  stress  can  be  solved.  One  solution  consists  of  simply 
providing  enough  equally  likely  alternatives  so  that  the  probability  of  pick¬ 
ing  the  correct  one  at  random  is  less  than  the  specified  safety  level,  10~6. 
For  a  set  of  equally  likely  detonators,  each  of  which  must  go  off  in  order, 
we  obtain 


P  system  failure  =  1/N!  -  10-6  - 


Solving  for  N, 


N=10  detonators. 


While  the  size  of  this  number  is  distressing,  the  possibility  that  a  solution 
exists  is  gratifying! 

Random  Global  Environments 

This  category  of  environment  is  not  analyzed.  Random  global  environments 
are  covered  by  the  next  environmental  category  because  of  the  worst -case 
hypothesis . 

Intelligent  Global  Environments 

This  environment  consists  of  one  or  more  global  stresses  applied  in  the 
manner  best  designed  to  defeat  the  s/a  strategy.  The  intelligent  global 
environment  is  examined  in  the  remainder  of  the  report. 


jantification  of  Environments 


For  a  simple  s/a  system,  such  as  two  detonators  that  must  function  with 
any  order  or  timing  to  provide  an  output,  the  best  way  to  defeat  the  s/a  proc¬ 
ess  is  to  make  the  environment  as  intense  as  possible.  If  the  probability 
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ACCEPTS  H0  ACCEPT  CODE I 

<S  DETONATE  SAFETY  PROBLEM  (<W6 ) 


S/A 

DEVICE 


- _ REJECT  CODE  RELIABILITY  /  —  SINGLE  \ 

ACCEPTS  H,  &  DUD  PROBLEM  DETONATOR 
- -  RELIABILITY/ 


Figure  4.  The  S/A  Decision 


FUZE 

(OBJECT  LANGUAGE) 


S/A 

DEVICE 

(SYNTAX  LANGUAGE) 


WARHEAD 

("THEOREM") 


Figure  5.  Safe/Arming  Process  as  a  Mathematical  System 


is 


Figure  6.  Detonator  Reliability  Needed  to  Meet  System 
Criteria  for  [(N-l)/N]  and  [(N-2)/N]  Systems 


that  any  single  detonator  will  fail  is  unity,  then  the  simple  s/a  device 
is  guaranteed  to  fail.  Suppose,  however,  that  the  detonators  must  not  only 
function,  but  they  must  function  in  a  particular  order  and,  perhaps,  with  a 
specified  time  between  functions.  A  single,  intense  stress  will  not  suffice 
to  defeat  this  system  with  the  same  certainty  as  before.  The  more  sophisti¬ 
cated  system  requires  two  distinct  stresses  properly  sequenced.  If  the  first 
stress  is  too  intense,  it  may  detonate  both  detonators  and  thus  not  yield  a 
system  event.  It  will  be  shown  that  the  best  way  to  attack  such  a  system  is 
to  use  a  less  stressful  environment  at  the  beginning  and  to  progressively  in¬ 
crease  intensity  until  the  last  stress  always  makes  the  detonators  function. 
Obviously,  the  worst  possible  stress  on  any  particular  system  depends  on  the 
internal  structure  of  the  system,  i.e.,  how  the  system  interprets  the  environ¬ 
ment  it  sees.  In  order  to  conduct  a  worst-case  analysis  it  is  necessary  to 
consider  the  s/a  process  in  an  adversary  relationship  vis-a-vis  its  environ¬ 
ment.  The  s/a  process  will  have  some  specified  decision-making  structure  (or 
strategy) .  The  environment  will  attack  the  s/a  strategy  with  a  strategy  of 
its  own  -  a  strategy  that  we  structure  to  maximize  the  probability  of  pro¬ 
ducing  a  s/a  defeat. 


Since  the  optimal  s/a  strategy  is  precisely  what  we  seek,  it  is  productive 
to  examine  the  problem  in  reverse  order  -  find  out  what  environments  the  s/a 
device  may  experience  and  then  pick  a  s/a  strategy  to  survive  those  environ¬ 
ments.  Specifying  the  "worst  possible  environment"  for  as/a  strategy  can 
be  facilitated  by  generalizing  the  concept  of  environmental  stress.  We  would 
like  to  divorce  the  measure  of  environment  from  its  physical  description  - 
that  is,  whether  the  stress  arises  from  fire,  electromagnetic  pulse  (F.MP) , 
etc.  To  do  this,  we  pick  some  detonator  as  a  standard.  The  sensitivity  of 
the  standard  is,  by  definition,  unity.  Environmental  stress  intensity  (E) 
can  then  be  defined  by 


E  -  P 


tiie  standard  detonator  fai 


ilsl  • 


(ID 


Equation  (11)  defines  the  intensity  (measure)  of  environmental  stress  as  a  prob¬ 
ability  function  -  the  probability  that  if  the  system  to  be  tested  exists  at 
the  time  of  the  trial,  and  if  the  system  to  be  tested  is  replaced  by  the 
standard  detonator,  then  the  standard  detonator  would  fail  the  trial  (detona¬ 
tor  fires).  One  can  immediately  conceive  of  complications  arising  from  this 
definition.  What  if  the  stress  is  spread  out  over  a  period  of  time?  What 
if  the  s/a  device  is  stressed  again  and  again? 


The  first  complication  can  be  accommodated  by  introducing  a  distribution  func¬ 
tion  F(t) 


E  -  E(t2)-E(t,)  -  /] 


F(t)dt 


(12) 


The  functional  form  of  F(t)  will  depend  on  the  chosen  environment.  The  second 
complication  is  really  a  statement  that  a  system  is  often  subjected  to  re¬ 
peated  trials.  In  a  series  of  trials  the  history  of  previous  results  affects 
the  outcome  of  any  trial.  This  can  best  be  handled  by  retaining  the  defini¬ 
tion  of  Equation  (11)  and  defining 


-  P 


>  E  [second  trial  J 

standard  detonator  fails 
second  trial  given 
it  survived  the  first  trial 


(13) 


The  probability  of  the  standard  detonator  surviving  two  successive  trials 
would  be 


P 


surviving  both  trials 


(14) 


The  concept  of  repeated  trials  is  the  basis  for  most  environments.  Using  the 
standard  detonator  concept ,  we  can  begin  to  explore  the  kinds  of  environmen¬ 
tal  stress  a  system  might  experience.  Stresses  can  arise  from  environments 
like  fire  (cookoff),  temperature  cycling,  shock  (mechanical  or  EMP) ,  vibra¬ 
tion,  and  even  a  modulated  envelope  of  shock  and  vibration.  The  simplest 
class  of  stresses  are  those  in  which  a  single  trial  is  described  by  a  dis¬ 
tribution  function,  F(t),asin  Equation  (12).  If  F(t)  increases  monotonically 
from  time  zero,  then  the  stress  models  a  cookoff-type  environment,  El.  The 
environmental  stress  type  is  labeled  Ei,  whereas  the  associated  intensity 
is  defined  as  E^.  If  F(t)  has  some  pulse-like  structure,  such  as  the  normal 

distribution,  then  it  models  a  temperature-cycle  environment,  E2.  A  stress 
of  the  E2  type  which  is  very  narrow,  e.g.,  a  normal  distribution  with  a  small 
o,  models  a  mechanical  or  electromagnetic  (EMP)  shock.  If  we  take  the  limit¬ 
ing  value  of  a  decreasing  o 


I  ini  E2(l,<r)  — •  E3, 
e t — *0 


mechanical  or  EMP  shock. 


(15) 
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More  complicated  environments  can  be  composed  of  sequences  of  E2  and  E3  stresses. 
Perhaps  the  most  complicated  would  be  a  sequence  of  mixed  E2  and  E3  stresses 
of  variable  intensity  and  timing  to  form  a  modulated  envelope  of  stresses. 


Any  safe/arm  strategy  must  survive  all  of  the  environments.  The 
worst-case  hypothesis  implies  that  the  s/a  device  will  be  characterized 
by  its  performance  against  whichever  system  of  stresses  produces  the 
lowest  probability  of  survival.  If  P^  is  the  probability  of  the  s/a  strategy 

failing  environmental  stress  Ei,  then  the  worst-case  measure  of  s/a  failure 
would  be 


M(s/a) 


maximum 


) 

r 


(16) 


where  M(s/a)  is  the  worst-case  measure. 


VI.  ANALYSIS  OF  SIMPLE  SAFE/ ARMING  STRATEGIES 

To  analyze  an  environment  that  is  intelligent  and  global,  we  seek  to 
exercise  the  different  types  of  stress,  Ei,  against  whatever  safe/arm 
strategies  can  be  arrayed  to  resist  the  stresses. 

We  can  identify  five  simple  strategies  as  basic  ones: 

SI:  TIMELESS:  A  specified  number  of  detonators  must  function  without 
regard  to  order  or  timing. 

S2:  SIMULTANEOUS:  A  specified  number  of  detonators  must  function  within 
some  small  time,  t,  of  each  other. 

S3:  SIMPLE  ORDERING:  (Sequential  but  not  time-gated)*  A  specified  set 
of  detonators  must  function  in  proper  order  without  regard  to  the  timing 
between  them. 

S4:  SEQUENTIAL:  (Time-gated)  Each  detonator  of  a  specified  set  must 
function  in  the  correct  order  and  at  the  proper  time  with  respect  to  an  ab¬ 
solute  time  standard. 


*The  notation  " time-gated "  for  strategies  was  suggested  by  D.  Overman ,  US 
Army  ERADCOM,  Harry  Diamond  Laboratories ,  in  a  private  communication. 


S5 :  SYNCHRONOUS:  Each  detonator  of  a  specified  set  must  function  in  the 
correct  order  and  at  the  proper  time  with  respect  to  a  time  standard  estab¬ 
lished  by  one  of  the  detonators.  This  differs  from  an  S4  strategy  because 
the  time  standard  has  the  same  uncertainty  of  function  (jitter  time)  as  the 
other  system  detonators.  The  time  standard  is  generally  chosen  to  be  the 
first  detonator  to  function  that  must  function  properly  if  the  system  itself 
is  to  function  properly.  In  a  [N/N]  system,  every  detonator  is  needed;  so 
the  time  standard  is  the  first  detonator.  In  a  f(N-l)/N]  system,  one  failure 
is  permitted;  so  the  time  standard  is  the  second  detonator  to  function.  In 
a  [(N-k)/N]  system, the  time  standard  would  be  detonator  number  (k+1) . 

By  biasing  the  timing  of  the  detonators,  a  Synchronous  strategy  can  be 
changed  to  a  pseudo-S4  :Sequential  strategy.  This  has  been  confirmed  by  numer¬ 
ical  analysis.*  Consequently,  analysis  of  synchronous  systems  is  covered  by 
analysis  of  sequential  ones. 

The  SI:  TIMELESS  strategy  is  considered  for  mathematical  rather  than  prac¬ 
tical  reasons.  If  an  El  type  of  stress  is  applied  to  a  SI  system,  then  the 
probability  of  system  failure  can  be  made  arbitrarily  close  to  unity  by  simply 
increasing  the  stress.  The  SI  strategy  is  not  viable  for  practical  use  be¬ 
cause  simple  stresses  like  fire  will  defeat  it. 

The  S2:  SIMULTANEOUS  strategy  appears  at  first  glance  to  be  viable.  If  a 
stress  of  intensity  E  is  used  to  exercise  a  two-detonator  system  using  the 
S2  strategy,  then  the  probability  that  both  will  fail  is  E2.  For  an  N-detona- 
tor  system,  where  all  N  detonators  must  function  simultaneously,  the  proba- 

N 

bility  that  all  will  function  is  E  .  Clearly,  this  looks  like  a  good  strategy 

The  above  argument  is  deceptive.  Under  the  worst-case  hypothesis  we 
must  assume  that  the  intensity  of  the  environmental  stress  can  be  raised  as 
high  as  desired,  including  unity.  When  E=l,  then  all  detonators  are  guar¬ 
anteed  to  function.  The  safety  of  the  s/a  strategy  then  depends  entirely 
upon  whether  or  not  the  detonators  function  sufficiently  close  together  to 
be  considered  simultaneous.  This  problem  is  analyzed  in  detail  in  Appendix  A. 
The  results  are  shown  in  Figure  A-l,  where  the  environmental  stress  width 
is  scaled  in  terms  of  the  width  of  the  time-gate  needed  for  detonators  to 
be  considered  "simultaneous."  The  two  curves  show  the  performance  of 


*W.  Baker ,  System  Engineering  A  Concerts  Analysis  Division,  us  Army 
Ballistic  Research  Laboratory ,  private  communication. 


[(N-l)/N]  and  [N/N]  systems,  respectively,  since  these  are  the  only  ones  of 
practical  importance.  The  [(N-l)/N]  system  requires  that  at  least  (N-l) 
of  the  detonators  be  within  the  required  simultaneity  time-gate,  while  the 
[N/N]  system  requires  that  all  N  be  within  the  time-gate.  Each  curve  repre¬ 
sents  the  stress  width  that  can  be  tolerated  by  the  system  without  failing 
a  10  6  safety  requirement.  What  we  see  in  Figure  A-l  is  that  even  a  system 
with  15  detonators  (the  limit  if  a  [(N-l)/N]  system  is  to  meet  the  reliability 
criteria),  a  stress  about  one  time  gate  in  width  will  defeat  the  s/a  strategy. 
Since  the  time  gate  is  of  the  order  of  ten  micro-seconds,  it  is  clear  that  the 
S2  strategy  is  vulnerable  to  shock.  It  is  not  a  viable  strategy  because  high 
shocks  are  common  in  military  environments. 

The  S3:  SIMPLE  ORDERING  strategy  requires  that  detonators  fire  in  a  prescribed 
order.  Although  at  first  glance  this  strategy  might  seem  inferior  to  the  si¬ 
multaneous  strategy  because  it  does  not  consider  timing,  simple  order  really 
contains  more  information  than  simultaneity.  Since  detonator  timing  is  not 
significant,  no  timed  environmental  strategy  has  any  advantage  over  another. 

For  an  S3 [N/N]  strategy  we  can  write 


P 


system 

event 
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all  fail 
in  order 


all  fail 

in  any  order 


(17b) 

(17c) 


(17d) 


where  P  (all  fail  in  any  order)  is  exactly  the  probability  function  for  the 
SI [N/N]  case  discussed  under  SI  of  the  previous  page. 


In  order  to  meet  the  1/million  safety  criterion 


For  an  [(N-l)/N]  system,  it  is  shown  in  Appendix  B  that 


P  system  event  =  s|n|  =  2N— 3+S(N— 1  )J/N! 


for  N  >  2.  S(2)  =  2  by  definition 

which  gives 


N  =  11:  P {system  event f  =  2.5  x  ICT6 


N  >=>  12:  Pj system  event  ■=  2.5x10 


Thus,  depending  on  one's  conservatism,  we  need  [10/11]  or  [11/12]  to  satisfy 
the  safety  requirement. 

The  S4:  SEQUENTIAL  (Time-Gated)  strategy  should  be  more  efficient  than  a 
simple  ordering.  The  requirement  that  all  detonators  necessary  to  system 
function  must  function  within  specified  time  channels  with  respect  to  the 
chosen  time  standard  eliminates  many  environmental  stresses  that  would  de¬ 
feat  an  S3  strategy  of  the  same  number  of  detonators.  The  proof  in  Appendix  C 
shows  that  intuition  is  correct.  The  method  used  in  Appendix  C  consists  of 
two  general  steps:  First,  the  S4  [N/N]  problem  is  solved.  Then  the  S4 
[(N-l)/N]  problem  is  written  in  terms  of  the  [N/N]  case  by  using  the  binomial 
expansion  formula.  The  [(N-l)/N]  case  is  then  solved  by  differentiating 
the  terms  of  the  expansion  with  respect  to  each  variable.  The  resulting 
equations  are  evaluated  numerically. 

The  results  are  summarized  in  Equations  (23): 
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Examining  these  simple  strategies  it  is  clear  that  only  the  S3:  Simple  Or¬ 
dering  and  the  S4:  Sequential  strategies  are  of  practical  utility  in  de¬ 
signing  in-line  s/a  systems  if  the  worst-case  safety  and  reliability  criteria 
are  to  be  met.  A  surprising  result  is  that  time-gating  only  saves  three 
detonators  over  an  S3  [11/12]  strategy. 

VII.  APPLICATION  OF  THE  ANALYSIS  TO  SOME 
PROPOSED  IN-LINE  SAFE/ ARMING  DESIGNS 

Much  of  the  development  of  coded-detonator  S/A  hardware  technology  has 
originated  at  the  US  Army,  Harry  Diamond  Laboratory  (HDL),  Adelphi,  Maryland. 
Three  of  the  four  devices  analyzed  in  this  section  are  taken  from  designs 
shown  in  a  report1  on  their  work  in  this  field.  The  fourth  is  a  generic 
design  currently  being  investigated  at  BRL  and  earlier  at  the  Naval  Surface 
Weapons  Center  (NSWC),  Dahlgren,  Virginia.  In  applying  the  analysis  to  these 
designs,  two  main  points  must  be  acknowledged.  First  an  objection  has 
been  raised  to  the  application  of  a  worst-case  hypothesis  to  the  safe/arm 
problem,*  since  a  worst-case  assumption  is  not  representative  of  munition 
life-cycle  experience.  This  question  is  not  frivolous.  Underspecification 
of  a  s/a  mechanism  results  in  a  dangerous  munition,  but  overspecification 
wastes  resources  and  unnecessarily  results  in  fewer  munitions  for  the  user. 

A  fair  and  complete  discussion  of  the  issue  is  beyond  the  scope  of  this  re¬ 
port.  Let  us  simply  note  that  the  results  of  the  analysis  are,  indeed,  based 
on  the  worst-case  assumption.  A  second  point  that  must  be  noted  is  that  the 
devices  modeled  in  the  analysis  do  not  reflect  other  than  obvious  improve¬ 
ments,  such  as  changing  the  confluent  shock  device  from  an  S2  to  an  S4 
strategy  and  may  not  represent  current  technology.  The  s/a  designs  analyzed 
are  shown  in  Table  1. 


TABLE  1.  TYPES  OF  IN-LINE  S/A  DEVICES 


Explosive  Bolt  Device  (Explosive  Barrier  Module)  -HDL 

Simple  Explosive  Logic  Device  -HDL 

Confluent  Shock  Device  -HDL 

Synchronous  Explosive  Logic  Device  -NSWC/BRL 


A.  Explosive  Bolt  S/A  Device 

Shown  in  Figure  7,  the  Explosive  Bolt  device  consists  of  a  base  (generally 
plastic),  three  explosive  motors  (A,B,C),  a  lead  cup  (d),  and  a  detonator  (D) . 
The  substrate  is  cast  or  machined  to  provide  the  cavities  and  slots  shown 
in  Figure  7.  The  slots  in  the  substrate  define  three  interlocking  "bolts," 


Ir.K.  Warner  and  D.L.  Overman,  " Explosive  Train  Technology  for  Electronic 
Fuzes,"  HDL-PR-71-1 ,  November  1971. 


*D.  Overman,  US  Army  ERADCOM,  Harry  Diamond  Laboratory ,  Adelphi,  MD.  Letter 
dated  7  July  1980. 


also  labeled  A,B,C.  The  device  is  a  mechanical  implementation  of  a  Simple 
Ordering  strategy.  The  bolts  are  arranged  so  that  each  must  be  moved  in 
sequence  in  order  to  move  the  third  bolt,  the  one  containing  the  detonator, 
into  line.  Bolt  A  has  a  tab  that  locks  bolt  B  so  that  bolt  B  cannot  be 
moved  until  after  bolt  A  slides  enough  to  unlock  the  tab.  Bolts  A  and  B 
together  prevent  bolt  C  from  moving  until  they  have  been  removed.  Thus, 
only  the  sequence  A,B,C  will  permit  bolt  C  to  slide  into  position.  This 
sequence  is  performed  by  firing  the  explosive  motors  A,B,C  in  proper  order. 
Once  this  has  been  accomplished,  then  bolt  C  slides  detonator  D  into  line 
with  lead  cup. (d) .  Firing  the  detonator,  D,  in  proper  sequence  following 
motors  A,B,C  will  produce  normal  functioning  of  the  in-line  s/a  device. 

Any  firing  out  of  sequence  will  produce  a  dud.  The  bolts  cannot  be  sequenced 
instantaneously  as  in  a  mathematical  ordering,  but  the  timing  can  be  within 
a  millisecond  (est.).  The  firing  strategy  can  be  approximated  as  S3  [4/4]. 

B .  Simple  Explosive  Logic  S/A  Device 

This  s/a  device  consists  of  a  substrate  made  of  plastic  or  some  similar 
inert  material  in  which  small,  rectangular  channels  are  molded  or  cut. 

These  channels  form  a  computing  network  that  performs  the  s/a  logic.  The 
network  is  shown  diagrammat ical ly  in  Figure  8.  The  inputs  (from  detonators) 
are  labeled  A,B,C  in  the  diagram.  Any  of  the  types  of  logic  gate  shown  in 
the  rest  of  Figure  8  might  be  used.  Each  null-gate  consists  of  a  signal 
channel  and  a  control  channel.  If  a  detonation  in  the  control  channel 
reaches  the  intersection  before  any  detonation  in  the  signal  channel,  then 
the  control  detonation  will  destroy  the  intersection  and  thus  "cut  off"  the 
signal  detonation.  Functionally,  the  null-gate  behaves  as  a  "break"  switch. 

In  Figure  8  the  initiation  points  are  labeled  A,B,C  in  order  of  their  proper 
firing.  The  intersections,  where  logic  switching  occurs,  are  labeled  1 
through  6.  Operation  of  the  s/a  device  is  as  follows: 

If  detonation  from  A  reaches  intersections  4  and  5  before  their  re¬ 
spective  signal  detonations,  then  4  and  5  will  be  cut. 

If  detonation  from  input  B  then  occurs,  it  will  not  be  able  to  pass 
intersection  5  since  the  cutting  detonation  from  A  preceded  it.  This  will 
prevent  the  control  detonation  B  from  cutting  intersection  2.  Consequently, 
the  detonation  from  B  will  proceed  along  the  signal  path  through  intersection 
2.  It  will  then  proceed  to  intersection  6  where  it  will  cut  the  intersection. 

Finally,  a  detonation  from  input  C  is  received.  Since  A  has  previously 
cut  intersection  4,  the  signal  path  from  C  can  pass  through  intersection  3 
(it  has  not  been  cut).  The  detonation  then  advances  to  intersection  6. 

Input  B  has  previously  cut  the  gate  at  6,  so  C  cannot  detonate  the  control 
channel  at  intersection  1.  The  detonation  from  C  can  thus  proceed  along 
the  longer  signal  channel,  through  intersection  1  and  into  the  output  lead. 
Any  failure  to  detonate  in  the  proper  order  results  in  a  dud.  The  firing 
strategy  is  S3  [3/3] . 
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C.  Timed  Dual  Pulse  S/A  Device 

Although  developed  as  a  non-explosive  shock  transfer  device,  the  dual 
pulse  shock  pyramid  has  been  proposed  for  use  as  an  in-line  s/a  device  by 
itself,  on  the  theory  that  the  likelihood  that  two  detonators  would  fire  in 
almost  perfect  simultaneity  is  sufficiently  remote  that  the  device  is  safe. 

The  Timed  Dual  Pulse  s/a  device  is  shown  in  more  detail  in  Figure  9.  The 
s/a  device  is  composed  of  three  main  elements:  a  donor  explosive,  an  inert 
barrier  in  the  form  of  a  wedge  or  pyramid,  and  an  acceptor  explosive. 

The  attenuation  of  the  inert  barrier  is  engineered  so  that  if  the  donor 
explosive  detonates  accidentally  and  only  a  single  shock  front  passes  over 
the  barrier,  then  the  pressure  transmitted  to  the  acceptor  explosive  is  not 
sufficient  to  initiate  detonation  in  it.  If  two  detonation  fronts  collide 
precisely  in  front  of  the  inert  barrier,  then  the  collision  will  produce  a 
much  higher  (nearly  double)  pressure  in  the  acceptor  explosive  and  will 
initiate  detonation  in  the  acceptor.  Functionally,  the  device  is  an  AND 
gate.  If  the  inert  barrier  is  fabricated  with  more  than  two  sides  -  a  multi¬ 
sided  pyramid  rather  than  a  wedge  -  then  the  device  will  function  as  a  many- 
input  AND  gate.  Variations  in  construction,  such  as  using  a  directed  slug 
instead  of  reflected  shocks,  have  been  successfully  tested.  This  is  an 
S2  [N/N]  strategy. 

As  shown  in  section  VI,  the  simultaneous  strategy  is  not  viable.  The  Timed 
Dual  Pulse  s/a  strategy  can  be  changed  from  an  S2  to  an  S4 :  SEQUENTIAL  one 
by  making  each  leg  of  the  donor  explosive  a  different  length  or  otherwise 
making  each  leg  so  that  detonations  initiated  at  different  times  will  collide 
over  the  barrier.  The  timing  strategy  of  the  Dual  Pulse  s/a  device  becomes: 

S4  (N/N]. 

D.  Synchronous  Explosive  Logic  S/A  Device 

This  device  is  based  on  the  "time  window"  concept.  At  the  proper  time, 
a  "window"  is  opened.  This  is  done  by  an  explosive  logic  network  called 
the  "clock."  The  window  is  held  open  by  sending  the  clock  output  through 
an  explosive  delay  path.  When  it  exits  the  delay  path,  the  clock  detonation 
enters  another  explosive  logic  network  called  the  "decoder."  In  the  decoder, 
the  clock  detonation  is  compared  with  the  inputs  from  other  detonators.  If 
the  correct  number  of  detonator  inputs  has  been  received,  then  the  clock 
pulse  provides  an  output  to  the  warhead.  Otherwise,  the  s/a  device  produces 
a  dud.  Although  the  decoder  operates  on  an  S3  [(N-k)/N]  strategy,  this  can 
be  converted  to  an  S4  [(N-k)/N]  by  the  same  method  -  varying  the  length  of 
input  legs  -  that  was  used  to  convert  the  Timed  Dual  Pulse  device  from  S2  to 
S4.  A  functional  block  diagram  of  the  Synchronous  Explosive  Logic  s/a  device 
is  shown  in  Figure  10. 


Figure  7.  Explosive  Bolt  Device 


FUNCTION  MODE:  A  THEN  B  THEN  C 
STRATEGY:  S3  [3/3] 


Figure  8.  Simple  Explosive  Logic  Device 


DONOR 

EXPLOSIVE 


BARRIER 


ACCEPTOR  EXPLOSIVE 


FUNCTION  MODE:  A  &  B  SIMULTANEOUSLY 
STRATEGY:  S4  [2/2] 

Figure  9.  Confluent  Shock  (Timed  Dual  Pulse)  Device 
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FUNCTION  MODE: 


ANY  (N-K)  OUT  OF  N  DETONATORS. 

EACH  MUST  FUNCTION  AT  ITS  PROPER  TIME. 


STRATEGY:  S4  [( N-K)/N  ] 


Figure  10.  Synchronous  Explosive  Logic 
Device 


VIII.  SUMMARY  OF  RESULTS 


It  is  important  to  note  again  that  the  results  of  Section  VII  apply  only 
to  the  devices  as  they  were  modeled.  Some  designs  may  be  capable  of  improve¬ 
ment  to  accommodate  the  safety  requirements  of  various  s/a  strategies,  while 
others  may  not.  Such  potential  growth  was  no  factor  in  the  analysis.  With 
this  caveat  explicitly  stated,  the  results  arc  shown  in  Table  2. 


TABLE  2.  IN-LINE  DEVICE  STRATEGIES 


DEVICE 

STRATEGY 

Explosive  Bolt 

S3  [4/4]* 

Simple  Explosive  Logic 

S3 [3/3]* 

Timed  Dual  Pulse 

S4  [2/2] * 

Synchronous  Explosive  Logic 

S4[(N-k)/N] 

*It  is  assumed  that  all  of  these  devices  could  be  improved  by 
increasing  the  number  of  system  variables. 


IX.  CONCLUSIONS 


A.  Specific  Conclusions 


By  assuming  that  a  s/a  device  will  experience  the  worst  possible  stress, 
we  have  developed  a  quantitative  approach  to  analyzing  safe/arm  devices. 

Of  the  four  simple  strategies  examined  (S1-S4),  two,  the  SI:  Timeless 
and  the  S2:  Simultaneous  are  not  suitable  for  use  in  safe/arm  design. 

Both  the  S3:  Simple  Ordering  and  the  S4 :  Sequential  strategies  can 
meet  s/a  safety  requirements  even  with  the  worst-case  assumption.  The  S4 
strategy  requires  fewer  detonators  than  the  S3  strategy. 

Detonator  efficiency  alone  does  not  mean  that  S4  is  a  superior  strategy 
to  S3.  S4  devices  require  a  time  standard.  This  is  provided  by  an  explo¬ 
sive  logic  network  called  a  "clock."  The  need  for  a  clock  means  that  S4 
networks  are  more  complex  than  S3  networks.  S3-based  strategies  have  a 
second  advantage:  Since  the  time  between  detonators  is  not  very  impor¬ 
tant  (only  the  order),  uniformity  of  function  time  is  not  very  important. 
Cheaper  detonators  can  be  used  in  an  S3-based  system.  By  electrically 


timing  detonator  firing  signals  far  enough  apart,  irregularities  in  function 
time  would  be  cancelled.  Increased  time  between  firing  raises  has  an  added 
bonus  -  power  demand  on  the  missile  electrical  supply  is  less. 

Strategies  that  use  the  [(N-l)/N]  function  class  are  favored  over  those 
that  use  the  [N/N]  class  because  the  small  increase  (1  detonator)  in  input 
variables  required  by  the  [(N-l)/N]  class  is  more  than  compensated  by  the  in¬ 
herent  reliability  advantages  of  permitting  at  least  one  detonator  to  malfunc¬ 
tion.  Strategies  using  lower  function  classes,  e.g.,  [(N-2)/N],  will  not  be 
favored  because  the  number  of  detonators  required  to  meet  safety  requirements 
becomes  prohibitive. 

Four  proposed  in-line  s/a  devices  were  examined  using  the  quantitative 
methodology.  The  Explosive  Bolt  and  Simple  Explosive  Logic  devices,  as 
modeled  in  the  analysis,  did  not  meet  the  requirements  of  the  worst-case 
assumption,  but  it  appears  that  either  one  could  be  expanded  to  meet  the 
safety  requirement.  Since  both  devices  use  the  [N/N]  class  strategy,  relia¬ 
bility  penalties  would  occur.  If  a  change  to  the  [(N-l)/N]  class  became 
necessary,  then  complete  redesign  might  be  needed. 

The  Timed  Dual  Pulse, if  improved  to  S4  [8/8]  and  Synchronous  Explosive 
Logic  (depending  on  one's  conservatism)  S4  [7/8]  devices,  can  meet  the  safety 
requirements,  but  the  Timed  Dual  Pulse  device  may  have  difficulty  meeting  the 
reliability  standards  because  its  strategy  is  based  on  the  [N/N]  class. 

B.  General  Conclusions 

Safe/arm  devices  can  be  designed  to  insure  absolute  immunity  from  any 
global  environmental  stress  with  a  failure  rate  of  no  more  than  one  per  million. 

The  fact  that  even  in-line  and  stored- energy  devices  can  achieve  such 
immunity  constitutes  absolute,  quantitative  proof  of  the  technological  fea¬ 
sibility  of  in-line  and  stored- energy  s/a  designs. 

The  worst-case  hypothesis  has  been  criticized  as  not  representative  of 
genuine  munition  life-cycle  experience.  As  stated,  this  objection  is  abso¬ 
lutely  correct.  However,  the  worst-case  assumption  does  give  valuable  insight 
into  the  response  of  s/a  designs  to  their  environment.  The  assumption  also 
provides  guaranteed  performance  where  experimental  or  experiential  data  are 
absent.  Since  stored-energy  and  in-line  devices  are  inherently  less  robust, 
they  must  be  evaluated  more  conservatively  than  traditional  s/a  designs. 
Obviously,  a  quantitative  theory  that  accurately  modeled  munition  life- 
cycle  experience  would  be  much  better  as  an  evaluation  tool  than  the  worst - 
case  procedure.  Such  a  life-cycle  model  would  test  precisely  what  we  want  the 
s/a  device  to  do.  A  precise  statement  of  what  we  want  a  s/a  device  to  do 
has  not  been  defined.  This  is  clearly  needed  before  quantitative  techniques 
can  be  fully  developed. 


APPENDIX  A. 


THE  MULTIPLE  INDEPENDENT  EVENT  MODEL 
OF  THE  SIMULTANEOUS  STRATEGY 


31 


PRfsVi?us  PAGE 

IS  BLANK 


APPENDIX  A. 


THE  MULTIPLE  INDEPENDENT  EVENT  MODEL 
OF  THE  SIMULTANEOUS  STRATEGY 

We  wish  to  analyze  the  behavior  of  a  system  of  detonators  in  which  all, 
or  some  specified  subset,  must  function  "simultaneously."  Since  the  function 
time  of  detonators  is  not  perfectly  predictable,  we  must,  for  reliability’s 
sake,  consider  detonators  that  function  within  some  time,  t,  of  the  mean 
time  to  function  as  being  "simultaneous."  The  problem  is  further  compounded 
by  the  use  of  one  of  the  detonators  as  a  time  standard.  Even  worse,  if  we 
let  any  detonator  be  a  time  standard,  there  are  multiple  possibilities  for 
"simultaneity."  This  multiple  time  standard  results  in  a  very  complicated 
problem. 

Let  us  first  make  several  simplifications: 

(1)  We  will  pick  only  one  detonator  to  be  a  time  standard  and  all 
other  detonators  will  be  referred  to  it. 

(2)  All  detonators,  including  the  time  standard,  are  picked  from  the 
same  population  and  the  deviations  from  the  mean  function  time  of  the 
population  are  normally  distributed  about  that  mean. 

(3)  All  detonators  are  independent  of  each  other,  that  is,  the  function 
time  of  one  detonator  does  not  influence  the  function  time  of  any  other 
detonator. 

The  implication  of  simplification  #1  is  that  we  will  compute  a  system 
probability  of  function  that  is  smaller  than  that  of  a  system  with  multiple 
time  standards,  so  that  if  we  examine  the  response  of  the  system  to  an 
accidental  stress,  the  computed  response  will  be  a  lower  bound,  so  that 
if  the  simplified  system  fails,  then  a  real  system  must  also  fail. 

The  implication  of  simplification  #2  is  that  we  can  pick  a  single  num¬ 
ber,  6  =  t,  such  that  if  any  detonator  is  within  6  of  the  time  standard, 
then  it  is  "simultaneous." 

The  implication  of  simplification  #3  is  that  we  only  have  to  consider 
the  relation  of  each  detonator  with  the  time  standard.  The  system  function 
probabilities  can  thus  be  computed  from  the  simultaneity  measurement  of  each 
detonator  w.r.t.  the  time  standard. 
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This  can  be  written  formally  by  defining  : 

t  is  the  time  measured  by  some  absolute  time  standard. 

e  is  the  event,  "The  local  time  standard  functions." 
o 

z  is  the  time  that  the  local  time  standard  functions,  with  the  mean  time  of 
o 

functioning  being  at  t  =  0. 

e^  is  the  event,  the  i-th  detonator  functions  within  a  time,  6,  of  the  time 

standard,  z  . 

’  o 

z.  is  the  time  that  the  i-th  detonator  functions. 

l 

All  times,  z,  are  normally  distributed  about  the  time  t  =  0. 

Thus,  we  can  write 


Obviously, 


(A-l) 


P 


(A-2) 


phej 


1  e  J  P'  e . 

M  M 


( A— 3 ) 


This  means  that  each  detonator  event  is  independent  of  the  other  detona¬ 
tor  events.  If  we  have  a  set  of  events,  (e^,  and  event  probability,  P  { ei > 

=  q  for  all  i,  then 


The  first  equation  defines  the  "N/N"  case,  the  second  equation  defines 
the  "(N-l)/N"  case.  Similar  equations  can  be  developed  for  other  cases  such 
as  "at  most  two  detonators  fail"  by  using  additional  terms  of  the  binomial 
expansion,  but  only  the  [N/N]  and  [(N-l)/N]  cases  are  of  practical  interest. 

Now  suppose  that  we  have  a  system  of  N  detonators  like  the  system  de¬ 
scribed  above.  Suppose  that  the  system  is  subjected  to  some  environmental 
stress  such  that  the  probability  that  any  given  detonator  will  function  due  to 
the  stress  is  normally  distributed  about  a  mean  time,  T=0,  with  standard 
deviation,  sigma.  We  must  note  that  this  environmentally  induced  detonator 
function  distribution  is  completely  different  from  the  function  time  distri¬ 
bution  during  normal  operation  -  the  <5  discussed  above.  Normal  operation  of 
the  system  is  fixed  by  the  physical  characteristics  of  detonator  construction, 
while  the  environmentally  induced  distribution  can  be  as  wide  or  as  narrow  as 
nature  desires.  Thus,  6  is  fixed  by  the  physical  limitations  of  the  detonators 
we  use,  while  a  can  vary  as  nature  (the  environment)  wills. 

We  know  that  as  the  sigma  of  the  environmental  stress  becomes  smaller, 
the  probability  of  system  function  (the  specified  subset  of  N  detonators 
functioning  within  6  of  the  standard)  will  rise.  At  some  value  of  a,  the 
system  probability  of  function  due  to  environmental  stress  will  just  equal 
10‘6. 


The  simplest  system  we  can  look  at  is  an  [N/N]  one,  e.g.,  all  the  detona¬ 
tors  must  function  properly  to  cause  a  system  event.  Since  the  detonators 
are  independent  events,  we  can  write 


P 


system  event 


An  -  KT6 


(A-6) 


where  A  is  a  value  to  be  determined  once  we  know  N.  Somewhat  more  complicated 
is  the  [(N-l)/N]  case,  where  no  more  than  one  detonator  can  fail  to  function 
within  the  simultaneity  requirement  if  we  are  to  have  a  system  event .  Since 
the  detonators  aTe  independent  of  each  other,  we  can  use  the  binomial  expan¬ 
sion 


system  event 


an  +  nanh[i-a)  =  1CT6  .  {A~7) 


For  [(N-2)/N]  or  other  systems,  we  obtain  a  polynomial  in  A  from  the 
binomial  expansion  by  including  the  extra  terms  needed.  A  represents  the 
probability  that  any  one  detonator  fires  within  the  time  window  defined  as 
simultaneous.  All  needed  information  about  system  strategy  is  contained  in 
the  equation  defining  A.  The  problem  reduces  to  an  investigation  of  how  the 


value  of  A  and  the  a  of  the  environmental  stress  are  related.  This  problem 
has  been  examined  in  three  different  ways. 

FIRST  APPROACH 


The  first  approach  is  pessimistic  because  we  replace  the  environmental 
normal  distribution  by  a  uniform  distribution  of  width  ±  a,  where  a  is  the 
standard  deviation  of  the  (now  replaced)  environmental  normal  distribution. 
This  is  shown  schematically  in  Figure  A-2(a) .  The  height  of  the  new  distri¬ 
bution  is  l/2a,  so  the  distribution  is  more  clustered  about  the  mean  than  the 
original  normal  distribution.  The  area  under  the  distribution  is  unity. 


Next,  let  us  partition  the  distribution  into  vertical  strips  of  width 
25,  with  each  strip  having  area 


Area 


where 


_1_ 

2<r 


is  the  height . 


(A-8) 


A  single  strip  is  simply  the  probability  that  a  detonator  will  fail  within 
±5  of  the  time  standard. 


We  require  that  the  probability  that  any  detonator  fail  simultaneously 
with  the  standard  must  equal  A,  so 


rearranging. 


A 


(A-9) 


(A-10) 


SECOND  APPROACH 


The  second  approach  is  due  to  W.  Baker.*  It  is  less  pessimistic  than 
the  first  solution,  but  it  is  still  a  worst-case  analysis  for  the  normal  dis¬ 
tribution.  As  in  the  first  solution,  let  us  replace  the  normal  distribution 
of  the  environment  with  a  uniform  distribution.  Instead  of  fixing  the  width 
at  ±o,  however,  let's  fix  the  height  equal  to  the  value  of  the  normal  distri¬ 
bution  at  its  mean,  *■  .  This  constitutes  precisely  the  worst  case  for  a  nor¬ 
mally  distributed  environment,  since  the  normal  distribution  is  never  greater 
than  its  value  at  the  mean.  This  schematic  is  shown  in  Figure  A-2(b).  The 
width  of  the  uniform  distribution  will  be  slightly  more  than  ±o,  say  it  is 
±  co,  where  c  >  1. 


^Private  communication. 


As  before,  if  we  divide  the  uniform  distribution  into  strips  2 ;  wide, we 
can  equate  the  area  of  a  single  strip  to  A. 


This  time,  however,  the  strip  is  not  l/2o  high, 
high.  Thus,  we  can  write 


rearranging, 


Instead  it  is  l  =  l/2cc 
o 

( A-ll ) 


o-  -=*  8/c  A  . 


(A-12) 


THIRD  APPROACH 


The  third  approach  to  the  problem  is  due  to  M.  Taylor.* 

Instead  of  trying  to  replace  the  environmental  distribution  with  a  simpler 
one,  let's  consider  the  expression  1 


k  ~  ZJ<8 


A,  where  zi  is  the  function  time  of  the  i — th  detonator.  (A-13) 


The  left  side  of  this  equation  is  the  probability  that  two  normally 
distributed  function  times  (the  time  standard  and  another  detonator)  will 
function  within  ±  6  of  each  other.  The  corresponding  diagram  for  this  case 
is  shown  in  Figure  A-2(c). 

The  right  side  of  equation  (A-13)  is,  of  course,  the  value  we  wish  this 
probability  to  have.  The  above  equation  can  be  rewritten 


P 


-5<(Zj  -  zo)^ 


A  . 


( A— 1 4 ) 


This  equation  can  be  transformed  into  one  with  a  variable  that  is  nor¬ 
mally  distributed  with  mean  of  zero  and  variance  of  one 


P 


Zj-  Zq 
y/2 a- 


8 


A  . 


(A-15) 


Since  the  normal  distribution  is  symmetrical  about  the  mean 


P 


0 


Zj  -  Zp 

'JlfT 


8 

yflcr 


A/2  . 


(A-16) 


*M.  Taylor ,  System  Engineering  &  Concepts  Analysis  Division ,  US  Army  Ballistic 
Research  Laboratory ,  private  communication. 
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From  this  we  obtain 


Jl(T 


(A-17) 


where  Z(A/2)  is  the  number  of  standard  deviations  needed  to  enclose  an  area 
of  A/2  from  the  mean  to  6/ /la  under  the  standard  normal  distribution. 


Let's  compare  the  three  solutions.  The  first  is  a  worst-case  for  a  dis¬ 
tribution  somewhat  more  peaked  than  the  normal  distribution.  The  second  is 
the  worst- case  for  the  normal  distribution.  Third  is  the  exact  solution 
which  gives  the  expected  results  for  a  large  number  of  trials,  assuming  the 
environment  is  normally  distributed.  Each  solution  yields  an  equation  involv 
ing  the  three  variables,  a, 6,  and  A. 


Solution  I:  cr 


A 

A 


(A-18a) 


Solution  II:  cr  ■=  — —  where  c  is  constant>l  ; 
cA 


(A-18b) 


Solution  III:  cr 


(A-I8c) 


These  three  solutions  will  be  used  to  obtain  an  answer  to  one  of  the 
most  important  questions  we  can  ask  about  an  S2  system,  "Just  how  large  a 
system  is  needed  to  satisfy  safety  requirements?”  To  answer  this  question, 
consider  first  the  general  polynomial  expression  for  the  quantity,  A 


r  A 


JO-6 


(A-19) 


This  is  an  N-th  order  polynomial  in  A.  The  two  simplest  cases  are 
[N/N]  and  [(N-l)/N],  which  give,  respectively. 


An  -  KT6 


( A— 2  0 ) 


and 

An  + NAn-'(i-a!  -  NAnh  -  (n— i]an  -  10"*  •  ( A— 21 ) 

When  N  is  small,  e.g.,  N=l,  then  A  must  be  small. 


A1  =  10-6 


implies  that  A  =  10~* 


( A—  22) 


(A-23) 


for  the  [(N-l)/N]  case  there  is  no  solution  below  N=2  , 

2A2-1  —  (2— i)a.2  -  10-6 

2A  -  A2  -  KT*  implies  that  A  =  5.00001  x  10~7  . 
Case  #1 :  [N/N]  strategy. 

As  N  gets  very  large: 

An  -  10-6  10  <  A<  1  I 


(A-24) 


(A-25) 


has  different  solutions  for  A  that  seem  to  tend  toward  a  value  A=1  as  N  tends 
to  infinity.  We  want  to  show  that  as  N  tends  to  infinity,  A  does  indeed 
approach  l.  In  the  general  case  (A  less  than  1), 


An 


h,  where  h  is  a  positive  number  <1. 


(A-26 ) 


It  is  necessary  to  first  show  that  the  limit  function  exists  as  N  tends 
to  infinity.  This  can  be  done  by  using  the  Cauchy  condition  for  uniform 

A- 1 

convergence;  the  Cauchy  Theorem  requires  that  functions  in  an  infinite 
sequence  get  "closer"  as  N  gets  larger. 


We  must  show  that  for  every  e  >  0,  there  exists  an  N  such  that  m,n, 
>  N  implies 


K  - t J  < « 


for  every  A  in 


(A-27) 


In  our  case:  we  wish  to  show 


| Am  -  An|  <  e 


for  every  A  in 


( A— 28) 


Proof : 

For  every  m,n,  positive,  Am,  An  are  positive  since  A  is  positive. 
If  m,n,  are  greater  than  N,  0  <  Am,  An  <  A^  ; 


A-l 


7.M.  Apostle ,  Mathematical  Analysis ,  pp. 


395,  Addis on-Wesley  Co., 


1957. 
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therefore , 

km-Anl<AN,  let  An  -  e,  say.  (A-29) 

then  for  all  m,  n  >  N,  |  Am  -  An  |  <  €  which  completes  the  proof. 

Since  we  know  that  the  limit  exists  we  can  solve  for  the  value  of  A 

A  -  hN  —  1  asN  — oo.  ( A—  30) 

Thus,  for  the  [N/N]  case,  the  limit  value  of  A  is  1. 

Case  #2:  The  [(N-l)/N]  strategy. 

The  [(N-l)/N]  case  also  yields  a  Cauchy  Sequence  of  functions  which  we 
can  handle  by  building  on  the  result  obtained  from  the  [N/N]  case.  The 
[ (N-l)/N]  equation  is  obtained  from  the  first  two  terms  of  the  binomial  ex- 
N 

pansion  (A+(l-A))  .  For  the  f(N-l)/N]  case  we  can  write 

An  +  nAn-,jl— a)  -  b.  (A-31) 

We  wish  to  explore 

lim  An  +  nAn-,fl— a]  (A— 32) 

P  — »oe>  l  )j  . 

By  the  sum  of  the  limits  theorem 

lim  An  +  nAn_1  1— A]  —  lim  An  +  iim  nAn-1[l— a|  (A-33) 

n  —  °o  1  '  n— »oo  n  — *  1  > 

if  both  limits  exist. 

We  know  from  the  previous  [N/N]  case  that  the  first  term  has  a  limit  for 
all  Ae  [0,1].  We  need  only  find  the  limiting  case  (if  it  exists)  for  the 

second  term,  nAn_1(l-A). 

Consider  the  sequence  of  functions 

fn  “  nxjl— x)n  .  ( A—  34) 

This  is  very  nearly  the  same  as  the  sequence  of  functions  that  we  seek  to 
evaluate,  with  x=l-A. 


It  is  shown  in  Apostle'  "  that  this  sequence  has  a  limit  function  as  n  tends 
to  infinity.  The  limit  function  is  defined  over  the  closed  interval,  [0,1] 
and  has  the  value  0  for  each  point  in  the  interval.  That  is 


I'm  fn 

n  —  oo 


lim  nx  1—  x  n  =  0  for  all 

n  — •  oo  '  > 


(A-35) 


Substitute  y=l-x  to  get 

lim  fn fy]  =  lim  n(l-y)yn  =  0  y  e [ 0, 1 J 

n  —  co  1  ’  n  —  oo 


Now,  consider 


n(l  — y 


y  O'  . 


( A- 3  6 ) 


( A-37 ) 


Using  the  Cauchy  condition  for  uniform  convergence,  we  must  show  that  for  all 
e  >  0,  there  exists  N  such  that  m,n  >  N  imply 


f  f 

■m  'll  |  . 

- <€  , 

y  y 


or 


l^mO—  y)ym  —  yn(l— y)yn|  <  e  ; 


( A— 3  8 ) 


( A- 3  9 ) 


but,  we  know  that  y  e(0,l]  ,  so 


( A- 4  0 ) 


The  term  (l/y)n(l-y)yn  converges  to  a  limit  function  that  has  value  0  through¬ 
out  the  half  open  interval  (0,1],  but 


( A—  41) 


which  is  exactly  what  we  seek,  with  y  substituted  for  A. 


A-2 


Apostle }  pp.  391 }  Example  1. 


lim  nA"-1  1-A  -  0  for  all  Ae  0,1 
rr-oo  1  1  1  J  ( A—  42) 


We  don't  care  that  the  limit  point  at  A=0  has  been  lost,  since  we  are  exploring 
in  the  neighborhood  of  the  upper  limit  point,  A=1 . 

Since  the  limit  exists  over  (0,1],  and  the  limit  for  An  also  exists  over 
that  interval,  then  the  sum  of  the  limits  theorem  applies;  and  the  limit  func¬ 
tion 

An  4-  nAn_,(l-A)  -  b  ( A- 4 3 ) 


also  exists  in  the  half  open  interval,  (0,1].  The  limit  value  of  A  +  1  as 
n  (and  therefore  N)  -*  °°. 

A  similar  argument  can  be  extended  to  any  finite  [(N-k)/N]  case.  Each 
new  term  is  obtained  by  taking  the  next  term  of  the  binomial  expansion.  For 
any  [(N-k)/N]  system,  the  limit  value  of  A,  as  the  number  of  detonators  gets 
very  large,  is  thus  A=l. 

Comparison  of  the  three  solutions  for  the  S2  Strategy 

We  can  use  the  result  of  Eq.  (A-42)  to  re-examine  the  three  solutions  to 
the  problem  of  how  wide  an  environmental  pulse  is  needed  to  defeat  the  system: 


Solution  I:  tr 


_5_ 

A 


(A-44a) 


Solution  II:tr  =  — —  where  c  is  a  constant  >  1  ;  (A-44b) 

c  A 


Solution  HI:  cr 


( A-44c) 


As  shown  above,  for  large  N  the  value  of  A  converges  to  1 ,  so 

Solution  I:  <r  ~  ;  (A-45a) 


42 


Solution  II:  a 


c 


( A-45b) 


Solution  III:  cr 


8 


Viz 

A 

2 

0  as  A 


1 


( A-45c) 


The  first  two  solutions  indicate  that  a  finite  environmental  pulse  width, 
as  shown  in  Figure  A-l,  will  defeat  even  an  infinitely  large  system.  The 
third  solution,  one  we  may  feel  is  more  "precise,"  confirms  the  intuitive 
feeling  that  the  a  of  the  environment  needed  to  defeat  a  system  must  tend  to 
zero  as  the  number  of  detonators  tends  to  infinity.  Clearly,  there  is  at 
least  the  appearance  of  a  contradiction  among  the  different  solutions. 

Instead  of  examining  the  mathematically  infinite  case,  suppose  we  examine 
a  "practical"  infinity  -  suppose 

A/2  =  .4998,  say.  This  corresponds  to  a  system  of  about  40,000  detonators 
From  the  tabulated  Normal  Curve  of  Error: 

Z  (.4998)  corresponds  to  an  average  of  3.54  standard  deviations.  If  we 
use  this  value  in  Solution  III, 


J _  *  1  ( A-46 ) 

^  “  V2 (3.54)  5 

The  apparent  contradiction  is  resolved.  While  the  environmental  o  does 
tend  to  zero  for  infinite  N,  it  converges  so  slowly  that  even  huge  values  of 
N  will  be  defeated  by  fairly  wide  environmental  pulses.  A  theoretical  solution 

A- 3 

to  do  this  same  problem  has  been  published  by  W.  Baker  and  M.  Taylor. 


E.  Baker  and  M.  S.  Taylor 
Design ARBRL-TR-02313 }  Apr 


j  "An  Order  Statistic  Approach  to  Fuze 
il  1931  (AD  A100753). 


APPENDIX  B. 


A  FORMULA  FOR  THE  COMPUTATION  OF  S3  [(N-l)/N]  STRATEGIES 


Consider  a  system  of  N  detonators  in  which  at  least  (N-l)  must  fire  in 
proper  order.  Denote  the  set  of  all  outcomes  which  produce  an  explosive 
event  by  S(N).  We  can  partition  the  set  of  all  possible  outcomes  into  three 
mutually  exclusive,  collectively  exhaustive  sets  of  events  which  we  can  call 
Class  I,  Class  II,  and  Class  III.  Each  class  can  be  evaluated  separately  and 
then  the  results  summed  to  get  the  total  of  all  possible  outcomes  which  will 
yield  a  system  event. 

Class  I  consists  of  sequences  in  which  detonator  #1  fires  first.  Since 
detonator  #1  is  supposed  to  be  first,  this  is  no  failure.  Of  the  remaining 
N-l  detonators  only  N-2  must  fire  in  proper  sequence  to  make  the  s/a  device 
fail.  This  is  an  S3  [(N-2)/(N-l) ]  strategy  with  outcomes  denoted  as  S(N-l). 

Class  II  consists  of  those  sequences  where  detonator  #2  fires  first. 

Since  one  failure  has  been  experienced,  no  other  failures  are  permitted  in  the 
remaining  N-l  detonators.  This  can  only  occur  if  the  detonators  3,4,5,...,n 
are  sequenced  in  that  order  no  matter  when  detonator  #1  fires.  The  possible 
sequences  yielding  this  are:  1,3,4,...;  3,1,4,...;  3, 4, 1,5,...;  etc.  There 
are  exactly  N-l  of  these. 

Class  III  events  consist  of  those  outcomes  in  which  some  detonator  other 
than  #1  or  #2  fires  first.  There  are  exactly  N-2  detonators  which  can  fit 
this  criterion.  For  each  of  them,  there  is  exactly  one  sequence  which  will 
yield  an  explosive  event:  K, 1,2, 3, 4, . . . , (K-l) ,  (K+l) , . . . ,n.  There  are  thus 
exactly  N-2  outcomes  in  Class  III. 

If  we  sum  the  contributions  of  Classes  I,  II,  and  III,  we  get 


S(N)  =  Class  I  +  Class  II  +  Class  III  (B-l) 

=  S(N-l)  +  N-l  +  N-2 
=  S(N-l)  +  2N  -  3. 

This  is  a  recursive  definition  for  N  >  2.  S(2)  is  defined  as  2.  The  cumu¬ 
lative  results  for  detonator  systems  with  up  to  12  detonators  are  shown  in 
Table  B-l. 
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TABLE  B-l . 

FAILURE  PROBABILITIES  FOR  VARIOUS  S3  [(N-l)/N]  STRATEGIES 
N  2N-3  +  S(N-l)  =  S(N)  P(N)  =  S(N)/N! 


SEQUENTIAL  STRATEGY 


FORMULAE  FOR  AN  S4:  SEQUENTIAL  STRATEGY 


Consider  a  system  of  N  detonators,  each  physically  identical,  but  each 
assigned  a  proper  time  to  function.  We  wish  to  compute  the  system  probability 
of  function  when  the  system  is  subjected  to  a  sequence  of  trials  by  a  global 
environmental  stress  and  the  environmental  strategy  is  maximized.  We  wish 
to  determine  what  that  maximal  environmental  strategy  is.  Only  'look-shoot' 
strategies  are  examined,  that  is,  the  environment  first  'looks'  at  the  s/a 
device  then  'shoots'  the  maximal  strategy  determined  from  the  look.  More 
complex  strategies  of  the  'look-shoot-look-...'  type  might  be  superior  in 
some  circumstances.  Some  analysis  of  them  has  been  completed,  but  will  not 
be  covered  in  this  report.  A  complete  coverage  of  flexible  (look-shoot-look- 
shoot- — )  strategies  may  be  examined  in  a  later  report. 

It  seems  clear  that  the  safe/arm  device  will  maximize  its  chances  of  sur¬ 
viving  environmental  stress  by  requiring  that  exactly  one  detonator  function 
properly  in  each  appropriate  time  window  and  that  the  environment  will  improve 
its  chances  by  timing  the  stresses  to  precisely  match  the  detonators'  proper 
times  to  function. 

Case  #1:  The  number  of  stresses  equals  the  number  of  detonators.  The  detona¬ 
tor  strategy  class  is  S4[N/N]. 

Let  Pq  be  the  system  probability  of  function.  Let  p^  be  the  probability 

that  a  detonator  will  function  on  the  k-th  stress  given  that  it  exists  on  the 
k-th  stress.  Since  all  detonators  are  physically  identical,  all  detonators 
that  exist  at  the  time  the  k-th  stress  is  applied  will  have  equal  probability 
of  functioning.  In  a  time-gated  strategy  the  proper  detonator  should  function 
on  the  k-th  stress,  while  those  supposed  to  function  after  the  k-th  (and  have 
not  gone  off  before  the  k-th  stress)  are  NOT  to  function.  Let  p^  be  continuous 

and  differentiable  in  the  interval  [0,1].  Let  k,  N  be  finite  integers  with 
1  <_  k  N.  Thus,  the  system  probability  of  function  can  be  written 

p  -  npkKp  ten 

k-1  1  ’ 

If  Po  has  an  extremum  in  the  N-dimensional  interval  (0,1),  it  is  neces¬ 
sary  that  an 

-  0  for  EACH  k  . 

3Pk 

We  can  separate  the  variables  if  we  let 

rk  (ph)  -  Pk(i-Pk)N'k 


(C-2) 

C-3) 


so  that 


P 

o 


f  f  f 
1  r2  r3 


51 


(C-4) 


PREVIOUS  PAGE 
IS  BLANK 


The  necessary  condition  of  equation  (C-2)  is  equivalent  to 


fk  =  0 


Solving  this  we  get 


therefore , 


fk  =  (1  '  pk)N"k  '  CN-k) P]c Ci -pk) N_k " 1  =  0  ; 


(1  -  Pk)N'k"1  [1  -  Pk  -  CN-k)  pk] 


Aside  from  the  non-maximal  solution  p,  =1 


N-k+1 


( C— 5 ) 


(C-6 ) 


(C-7 ) 


(C-8) 


The  functions  of  equation  (C-8)  are  single  valued,  so  that  only  one 
extremum  exists  for  each  p^.  It  is  easy  to  show  that  each  of  the  functions 

f,  is  concave  downward,  and  that  (C-8)  defines  a  maximum  for  P  . 
k  ° 

We  note  that  1)  fk  >  0  when  pk  equals  l/(N-k+l); 

2)  fk(0)  =  fk(l)  =  0  for  k  <  N. 

But  equation  (C-8)  insures  that  there  is  only  one  extremum  on  fk  e  [0,1],  so 
the  functions  fk  must  have  maximum  value  at  pk  =  l/(N-k+l) .  Because  the 
variables  are  separable,  the  probability  function  PQ  has  a  maximum  when  all 
f  have  maxima.  This  means  that  the  optimum  stress  sequence  for  the  environ- 

K 

ment  to  use  to  defeat  a  safe-arm  system  using  the  sequential  strategy  is 
{ 1/N,  1/lN-l),  ....  1/1). 

If  we  use  these  values  for  pk  in  equation  (C-l) ,  then  we  get 

f  1  N  1  )[  1  )NHl 

P(  at  optimum  environment  J  -  IJ  jp  ~  N=k+rj  (C-9) 

If  we  set  the  result  of  equation  (C-9)  equal  to  the  safety  standard 


p  -  n  kr- 


N-k+l  N-k+1 


^ict6 


(C-10) 


Numerical  iteration  can  be  used  to  give 


p  S4  [7/7]  -  ^  "  l-2  x  1CT6 


(C-ll) 


We  can  use  the  formula  for  the  S4[N/N]  to  obtain  a  solution  for  the  S4[(N-1)/ 


N]  strategy.  For  notational  convenience  let  denote  P{S4 [(N-i) / (N-j) ] } . 

Assume  that  the  number  of  stresses  equals  the  number  of  detonators.  The 
detonator  strategy  class  is  S4[(N-1)/N]: 


(C-12) 


P  n-i  ™  Pjall  N  functionr  +  Plexactly  one  malfunctions 
-fT  l  properly  J  [ 


The  first  term  in  Equation  (C-12)  is  just  the  result  for  the  [N/N] 
strategy,  as  shown  in  Equation  (C-9) .  The  second  term  can  be  written 


Pjexactly  one malfunctionsj  —  J  PN  x 


|i— th 


det  malfunctions 


(C-13) 


P  ji— th  det  functions! 

L  properly  j 


.  Let  be  the  probability  that  the  i-th  detonator  functions  properly. 
Then,  equation  (C-12)  can  be  written 


PN— 1  -  PN  +Pjs  L  -y- 

N  N  N  i-1  5i 


( C— 1 4 ) 


Simplifying, 


P N— 1  "  PN  X  1-N  +  £-1 

N  N  i-1 


(C-15) 


Now  is  the  probability  that  the  i-th  detonator  works  properly.  This 

probability  can  be  expressed  as  the  probability  that  the  i-th  detonator  func¬ 
tions  on  the  i-th  stress  IF  it  exists  on  the  i-th  stress  times  the  probability 
that  it  WILL  exist  on  the  i-th  stress: 


si  “  Pi  ll  where  p0  -  0  . 

j-0  ' 


Using  this  expression  in  equation  (C-15)  gives 


(016) 


1 N— I  -  Pn  *  fl-N+i— 77 - 7-1 


As  before,  the  optimum  environmental  strategy  is  obtained  by  differen¬ 
tiating  Equation  (C- 17)  and  setting  each  derivative  equal  to  zero: 


9PiPN=±  0 

XL  NJ 


(C-18) 


Using  a  modified  Newton-Raphson  optimization  routine,  this  problem  was  solved 
numerically  for  three  systems:  [6/7],  [7/8],  and  [8/9].  "Hie  results  were: 


54 ! 


5.2  x  KT5  - 


-  3.4  x  KT6  ; 


1.8  x  10~7  . 


(C-19a) 


(C-19b) 

(C-19c) 


Case  #2:  The  number  of  pulses  exceeds  the  number  of  detonators.  Detonator 

strategy  is  S4 [N/N] .  If  the  environment  attempts  to  produce  a  resonant  re¬ 
sponse  from  a  system,  then  the  strategy  can  be  defeated  by  spacing  the  detona¬ 
tor  channels  (time  windows)  so  that  the  time  spacings  are  prime  relative  to 
one  another  (measured  in  time  window  widths) .  This  forces  the  environment 
to  generate  an  excessive  number  of  stress  pulses.  The  extra  stresses  must 
evoke  no  system  response,  since  any  detonator  functioning  between  time  win¬ 
dows  would  be  mistimed.  The  number  of  extra  trials  is  given  by 


#  of  extra  trials 


N 

LTi-N, 


(C-20) 


where  Ti  is  the  spacing  of  the  i-th  time  window  and  N  is  the  number  of  detona 
tors.  The  number  of  extra  trials  can  be  made  arbitrarily  large,  so  that  the 
probability  of  the  system  surviving  the  extra  trials  intact  is  then  arbitra¬ 
rily  small.  This  makes  the  constant  frequency  attack  non-viable. 

The  final  environmental  option  considered  is  a  group-pulse  attack.  In 
this  approach  the  environment  attempts  to  fail  the  s/a  device  with  the  first 
group  of  pulses.  If  the  system  neither  functions  nor  duds,  then  a  second 
group  of  pulses  tests  the  system.  The  process  continues  until  the  system 
either  functions  or  duds.  If  the  system  survives  a  given  set  of  pulses  un¬ 
scathed,  then  it  is  clear  that  whatever  environmental  strategy  was  optimal 
for  the  just  completed  group  of  stresses  will  be  optimal  for  the  next  group. 
It  follows,  therefore,  that  the  system  function  probability  for  an  infinite 
set  of  pulse  groups  would  be 


P  -  P0(l  +r  +  r2  +  r3...). 


(C-21) 


where  Pq  is  the  same  probability  function  defined  in  Equation  (C-l)  and  R  is 

the  probability  that  a  group  of  N  pulses  fails  to  produce  any  system  response 
at  all* 


R 


(C-22) 


2 

Note  that  1+R+R  +  ...  is  an  infinite  geometric  series.  Using  the  formula  for 
the  sum  of  a  geometric  series  in  Equation  (C-21)  we  obtain 


(C-23) 


Once  again  we  examine 


-  0  • 


It  is  convenient  to  note  that 


and 


N-k 

1_Pk 


N  R 
1~Pk  . 


(C-24) 


(C-2  5) 


(C-26 ) 


Using  Equations  (C-25)  and  (C-26)  in  Equation  (C-23)  we  obtain  the  general 
result 


Po 

N-k 

Po 

NR 

1  -R 

Pk 

1“Pk 

1 

1 

* 

NJ 

l~Pk 

(C-2  7) 


Solving  for  p.  , 

K  1  —  R 

*  "  N-(k-l)T(l  -R)  •  (C-2 8) 

Although  no  general  proof  is  given  here,  there  is  a  general  solution  which 
shows  that  pulse  groups  after  the  first  are  identically  zero.  The  work  has 
been  done  by  a  mathematician  in  the  United  Kingdom  who  plans  to  publish  his 
proof  separately. 
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